CVE-2018-9275

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2018-9275
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-9275.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2018-9275
Downstream
Related
Published
2018-04-04T18:29:02.497Z
Modified
2026-04-11T14:11:15.735810Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H CVSS Calculator
Summary
[none]
Details

In checkusertoken in util.c in the Yubico PAM module (aka pam_yubico) 2.18 through 2.25, successful logins can leak file descriptors to the auth mapping file, which can lead to information disclosure (serial number of a device) and/or DoS (reaching the maximum number of file descriptors).

References

Affected packages

Git / github.com/Yubico/yubico-pam

Affected ranges

Type
GIT
Repo
https://github.com/Yubico/yubico-pam
Events
Introduced
f5363a207b14d46b86022e598399a31201164594
Last affected
432d7c60a1f64bfd1ad05683392cec36c6bc8455
Database specific 
{
    "versions": [
        {
            "introduced": "2.18"
        },
        {
            "last_affected": "2.25"
        }
    ]
}
Type
GIT
Repo
https://github.com/yubico/yubico-pam
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
0f6ceabab0a8849b47f67d727aa526c2656089ba

Affected versions

2.*
2.10
2.11
2.12
2.13
2.14
2.15
2.16
2.17
2.18
2.19
2.20
2.21
2.22
2.23
2.24
2.25
2.5
2.6
2.6pre2
2.6pre3
2.7
2.8
2.9
v2.*
v2.6

Database specific

vanir_signatures 
[
    {
        "deprecated": false,
        "signature_version": "v1",
        "id": "CVE-2018-9275-73e96989",
        "digest": {
            "line_hashes": [
                "226607563752128757887514930765907415801",
                "279701570390930019583909742435872770862",
                "308494850977619412175153327874514612777",
                "203417458892300943278019038761638732730"
            ],
            "threshold": 0.9
        },
        "source": "https://github.com/yubico/yubico-pam/commit/0f6ceabab0a8849b47f67d727aa526c2656089ba",
        "signature_type": "Line",
        "target": {
            "file": "util.c"
        }
    },
    {
        "deprecated": false,
        "signature_version": "v1",
        "id": "CVE-2018-9275-fa157aba",
        "digest": {
            "length": 1698.0,
            "function_hash": "119299559369141334615512022658670539382"
        },
        "source": "https://github.com/yubico/yubico-pam/commit/0f6ceabab0a8849b47f67d727aa526c2656089ba",
        "signature_type": "Function",
        "target": {
            "file": "util.c",
            "function": "check_user_token"
        }
    }
]
source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-9275.json"
vanir_signatures_modified 
"2026-04-11T14:11:15Z"